August 25, 2016

3 Things CISOs Need To Know About the Trident iOS Vulnerabilities

Man wearing casual clothes holding smartphone.

Earlier today, Lookout and Citizen Lab published findings about a sophisticated, targeted, and persistent mobile attack on iOS using three zero-day vulnerabilities we call “Trident.” The attack allows an adversary to silently jailbreak an iOS device and stealthily spy on victims, collecting information from apps including Gmail, Facebook, Skype, WhatsApp, Calendar, FaceTime, Line, Mail.Ru, and others.

This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment


According to a new report from Citizen Lab, NSO Group, an organization that claims to specialize in “cyber war,” created a mobile espionage product called Pegasus. Citizen Lab recently caught the first in the wild sample of the iOS version of Pegasus, which uses three previously-unknown vulnerabilities in iOS (we are aware that NSO Group advertises  similar products for Android and Blackberry) to jailbreak the device and spy on victims. Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile: always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. Lookout and Citizen Lab worked directly with Apple to fix the vulnerabilities. Apple was very responsive and patched Trident in its 9.3.5 update. All iOS users should update to this version immediately. Lookout will also detect and alert its customers to this attack.

The three key learnings from this attack for enterprise CISOs and CIOs:

1. Mobile devices and enterprise intellectual property are being targeted by sophisticated corporate espionage

The Pegasus sample Lookout observed was deployed against a political target. However, attackers also deploy Advanced Persistent Threats (APTs) against corporations in order to access infrastructure and steal IP, customer data, or perform other espionage. These exploits are ideally suited to perform targeted, enterprise-focused attacks, and we expect that customers of this type of software are using these attacks for that that purpose.

Given the high price tag associated with these attacks — Zerodium paid $1 million for an iOS vulnerability last year — we believe this kind of software is very targeted, meaning the purchaser is likely to be both well-funded and specifically motivated. The going price for Pegasus was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.

While your CEO or CTO are among those high-value targets, there are many others within your organization who could find themselves in an attackers’ crosshairs. Rank-and-file employees with credentials to access enterprise networks are clearly perceived as valuable targets by global threat actors. Unprotected employee mobile devices with access to sensitive corporate data are now likely to be the lowest hanging fruit for attackers looking to breach an enterprise.

2. SMS phishing is how you’ll get owned

The Pegasus attack starts with an SMS phishing attack using spoofed sender numbers and anonymized domains to deliver malware to the target’s iPhone.

The target’s phone is remotely jailbroken and immediately starts compromising the target’s digital life. Calls, texts, calendar and contacts are all copied and sent to the attacker.  The software is capable of activating a phone’s cameras and microphone to snoop on conversations around the device. It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients. By remotely jailbreaking the target’s iPhone, the attackers would have access to significantly more sensitive information than if they had compromised a laptop.

What happens after a threat actor has compromised a target’s smartphone will depend on the identity of the attacker. For example, aggressive corporate competitors and nation state actors could be more interested in credentials and communications and business apps such as Gmail, Skype, WhatsApp, Calendar, and others that may contain confidential technical, financial, or customer information.

Enterprises that have thousands of employees who use their phones for both work and personal communications are susceptible to attacks like Pegasus, which clearly demonstrate how a single tap on a malicious SMS message can give an attacker the “keys to the kingdom.”

3. Lookout Mobile Endpoint Security protects against Pegasus and other mobile threats

The Lookout Mobile Endpoint Security solution’s advanced jailbreak detection is able to detect the indicators of compromise generated by the Pegasus attack, and inform users affected by this highly targeted threat.

To keep enterprise data safe, Lookout Mobile Endpoint Security looks at four important vectors:

  1. Device behavioral anomalies — Mobile Endpoint Security fingerprints the OS and file system and compares it to our dataset to spot when the OS or file system is in an unexpected state.
  2. Vulnerability assessments — Mobile Endpoint Security detects when mobile devices are rooted or jailbroken, whether malicious or user-initiated.
  3. Network security — Mobile Endpoint Security monitors network traffic and determines when a connection is unsafe, alerting admins to compromised connections.
  4. App scans — Mobile Endpoint Security identifies malware, as well as "risky" apps that may leak information a corporate deems sensitive but that are not inherently malicious.

Contact Lookout today to learn if your enterprise is affected and how Lookout Mobile Endpoint Security can protect your organization.

Think you've encountered a suspicious link similar to the Pegasus attack? Email


Mike Murray

Chief Security Officer

Mike Murray is the Chief Security Officer at Lookout. For nearly two decades, Mike has focused on high-end security research, first as a researcher and penetration tester and then building and leading teams of highly skilled security professionals. He previously lead Product Development Security at GE Healthcare, where he built a global team to secure the Healthcare Internet of Things. Prior to that, he co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including nCircle Network Security, Liberty Mutual Insurance and Neohapsis.

Platform(s) Affected
Entry Type
Threat Summary
Discovered By
Threat Type
Platform(s) Affected
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.